Security Services

Security Overview:

Amazon GuardDuty

• Incident detection service in AWS that monitors the most important logs in AWS.

• Can add your own IOC IP addresses to alert on.

  • TA can add their IP address to be ignored in alerts (defense evasion)

GuardDuty collects it logs automatically:

• AWS CloudTrail logs

• Amazon Virtual Private Cloud (Amazon VPC) flow logs

• Amazon Route 53 DNS logs

• (Optional) EKS Audit logging

• (Optional) Lambda protection

• (Optional) Malware protection in storage

• (Optional) RDS protection

• (Optional) Runtime protection for ECS and EC2

• (Optional) S3 protection using S3 logging

Things to know

• GuardDuty is regional needs to be enabled in each region and in every account you use

• Use Security Hub to centralize findings

• Collection of logs is out-of-band and does not interfere with existing configuration

• Doesn’t work on historical logs only forward in time IR use case

• GuardDuty is a very good indicator for incidents in AWS

Amazon Inspector

What:

• Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure.

How Inspector automatically scans for vulnerabilities in:

• EC2 instances works on Windows and Linux

• Container images in the container registry

• AWS Lambda functions

• Uses Amazon Systems Manager (SSM) to perform scanning on instances

• Scans for vulnerabilities in the operating system as well as the software packages used

• Lambda scanning also allows for scanning of code for potential vulnerabilities

AWS Detective

Data sources collected for Amazon Detective:

• AWS CloudTrail logs

• Amazon Virtual Private Cloud (Amazon VPC) flow logs

• For accounts that are enrolled in GuardDuty, Detective also ingests GuardDuty findings

• (Optional) Amazon EKS Audit Logs

• (Optional) AWS Security findings from Security Hub

AWS Security Hub

AWS Security Lake